RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3]
Anthony Scarpino
ascarpino at openjdk.java.net
Wed Oct 20 20:51:04 UTC 2021
On Wed, 20 Oct 2021 14:47:31 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements:
>>
>> - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done.
>>
>> - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that.
>>
>> - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly.
>
> Sean Mullan has updated the pull request incrementally with one additional commit since the last revision:
>
> - Skip digest alg decomposing check for algorithms that don't contain "SHA".
> - Remove hasLoop method and fold code into decomposeName method.
looks good to me
-------------
Marked as reviewed by ascarpino (Reviewer).
PR: https://git.openjdk.java.net/jdk/pull/5928
More information about the security-dev
mailing list